Bitdefender, a cybersecurity firm, has uncovered a large-scale ad fraud and phishing campaign involving 331 malicious apps on the Google Play Store. Known as Vapor Operation, the campaign bypassed Android 13 security measures and amassed over 60 million downloads. Initially discovered by IAS Threat Lab in early 2024, the operation was first linked to 180 apps before further analysis revealed its full scale.

Researchers found that these malicious apps disguised themselves as legitimate tools while secretly flooding users with intrusive ads, stealing credentials, and even harvesting credit card details. In a statement to BleepingComputer, Google confirmed that “all of the identified apps from this report have been removed from Google Play.” However, Bitdefender’s report noted that by the time their research concluded, 15 of these apps were still available on the platform.

Vapor Operation Explained

The Vapor Operation campaign, orchestrated by G, has been active since early 2024. Initially launched as an ad fraud scheme, it was first reported by IAS Threat Lab, which linked 180 apps to the operation. These apps generated a staggering 200 million fraudulent ad requests daily, exploiting fake clicks to drain advertisers’ budgets.Bitdefender’s latest report reveals that the Vapor Operation campaign has expanded to 331 malicious apps across various categories, including health trackers, QR scanners, note-taking tools, and battery optimizers.

Here is a list of some of the apps –
Notable apps involved in the Vapor Operation campaign include AquaTracker, ClickSave Downloader, and Scan Hawk, each surpassing 1 million downloads, along with TranslateScan and BeatWatch, which have between 100,000 and 500,000 downloads.

Reports indicate these apps were uploaded to Google Play between October 2024 and March 2025, primarily targeting users in Brazil, the US, Mexico, Turkey, and South Korea.

How did the App Avoid Detection?
Vapor Operation stood out for its ability to bypass Google’s Android security. The malware initially posed as ad-based apps, with malicious code delivered later via C2 servers.

Once installed, these apps:

• Hid their icons by disabling launcher activities (banned in Android 13).
• Mimicked trusted apps like Google Voice.
• Bypassed Android 13 restrictions to launch without user interaction.
• They then hijacked devices with full-screen ads, disabled the back button, and escalated to phishing with fake Facebook, YouTube, and payment login pages. This is a growing threat, particularly for non-tech-savvy users in India.
• While many apps focused on ad fraud, others targeted sensitive user data. Victims reported being trapped in endless ad loops or redirected to phishing pages. In some cases, apps falsely warned users of “infections” to trick them into downloading more malware.

How To Stay Safe ?

Although Google has removed most of these malicious apps, users should still take precautions when downloading apps and browsing online. Here are some key safety tips:

• Update Regularly – Keep your Android OS and apps up to date to fix security vulnerabilities.
• Use Security Tools – Enable Google Play Protect to scan apps for threats before downloading.
• Check Installed Apps – Compare your app drawer with Settings > Apps > See All Apps to detect hidden malware.
• Avoid Unnecessary Apps – Download only from trusted developers and review app permissions.